Ubisoft Responds To UPlay Security Drama, Issues Patch

Share this:

Well, we knew about the patch already thanks to watchful forum-folk, but Ubisoft have finally offered a public acknowledgement of the Uplay security flaw that in theory meant nasty folk could gain remote access to gamers’ PCs. Here’s their statement and instructions on how to update Uplay – they’re not recommending that anyone disable Uplay, and sound convinced the patch has fixed the exploit.

“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com.

Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

No apology and no addressing of quite why Uplay needs a silently-installed browser plugin that allows the firm to monitor its customers’ PCs in to addition the UPlay app itself, but right now the fix is the most important thing. The patch was pretty rapid (landing about nine hours after the exploit became public knowledge) and that’s very much to their credit, but I am personally of the opinion that all firms have a duty to warn their customers of such dangers just as soon as as they know the nature of the threat themselves.

Fortunately, no-one of dark intent seems to have exploited the exploit as yet – let’s hope everyone affected is able to safely patch their Uplay before anything nasty gets into the wild.

DO NOT defend these bungholes by saying that software development is hard. Earning money in MY fucking job is hard too, but I don’t implement DRM shit that gets installed in the BROWSER of the customers, just because I’m a paranoid and lying asshole like the guys at 90% of gaming companies are these days.

Dev teams dont make up their own requirements.
Business people do. Dev teams just implement it as best as they can.
I refer to dev teams, to mean business analysts, programmers, testers, automators the whole lot.
The fact it was there- that’s because business wanted a solution that required it existed there.
The fact it went wrong, that’s on the dev team’s head.

Stop using Steam guys: Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.http://ir.gl/f9550f

The thing is, this is not a exploit of a vulnerability, it’s just using the plugin’s primary task: execute commands remotely. It was planned and designed for it. The patch just makes the plugin able to execute a certain subset of commands, related to UPlay. AFTER being caught. In mere hours. No testing needed.

What, a browser plugin that allows direct execution of anything on your system? As a software engineer who has worked on server side security for online systems with thousands of concurrent users, this is the worst and most visible back door left into a system that I have ever seen.

There is always a balance of tolerance and understanding and while certainly no piece of software is 100% perfect it is also very hard to feel goodwill to a company fucking up very badly on a browser plugin that was installed secretly and many users did not know existed. Even less goodwill is available when it is unclear why the stealth plugin even exists in the first place.

I’m baffled. I can’t possibly fathom how someone can honestly defend this security Waterloo with a straight face. Installing a backdoor on your customers computer, that loads up even when companies software isn’t even remotely affected, that same backdoor allowing full user access – and then being so goddamn smug to not even bother with any sort of security on that thing so even complete thought-a-phobics can abuse this.
And there’s people defending this as yet another bug?!

I believe the point was that it might as well be a button saying “Compromise System” since there is NO logical chain of events that would lead to A DRM PROGRAM installing a security-compromising BROWSER PLUGIN on a user`s computer. This makes even less sense than Origin`s BS. At least they can defend themselves by saying that Steam does the same, except with search history. Unless someone finds the section of the EULA where you give Ubi permission to install a trojan in your system, Ubisoft could get sued clear out of the industry.

Did you even look at the code before you went ahead and claimed hyperbole?

The exploit calls the DRM Plugin from Ubisoft, neatly sitting in your browser. From there, you can/could make it do everything on your computer, that you can do with a simple command-line call.

Hit your windows Key and R. Enter:
C:WINDOWSSYSTEM32CALC.EXE
(comment system eats slashes, insert where appropiate)
Now Base64 Encode it. Google helps.
There, see that original post with the link? Look it up. I’ll wait.
See something familiar? Like that odd number and letter thing?

Congratulations, Hacker. You’ve successfully cracked the “security” on this exploit. They could have made it Hex and still have the same amount of security. Still claiming hyperbole?
(P.S.: All this information was linked in the original post, this post is to simply clarify how bad or rather non existant the security on that thing was).
P.P.S: Website ate my post. :(

The quality of their code and the industry standards are 100% irrelevant.

The problem is that they silently injected a plugin that has absolutely ZERO use or benefit for the customers in order to “stop Piracy” (hint, if we have that crap on our machines, that means we’re not the pirates). Then that useless and invasive piece of code actually turns out to have introduced a serious security flaw on the paying customers’ system.

They get ZERO benefit of doubt in this scenario. Atually, they get NEGATIVE benefit of doubt. They should be working their asses off to show how fucking wonderful their horrendous flaky and vulnerable “always online” DRM system is.

They should be held to that standard because the application in question is not something we’re running willingly. We just want the games to run, not the Uplay spyware/malware. When we install uplay on our systems the trade is “you run your uplay on our system, we get to play games”, not “we open up our computers to any two-bit crook who wants in, we get to play games”.

@tyrsius, I am software developper. There is buggy, and tehre is *shoddy*. Not checking what you are accepting as input all the while running code from the internet and taking for granted it will be your code only, it plain ass shoddy. It shows a torough misunderstanding of security and acceptable coding practice.

From Geek.com:
“The discovery was made by Tavis Ormandy, and information security engineer at Google, when he installed Assassin’s Creed: Revelations on his laptop. He noticed that during the installation Uplay installed a browser plug-in that allows any website to gain access to your machine through a backdoor and take control of it.

The plug-in can be classed as a rootkit because it is thought to allow continued privileged access to a machine without a user’s consent. If this was limited just to the Uplay service with regard to checking games are legal it would still be a major concern, but the fact any website could potentially use the plugin escalates the seriousness of what is happening here.”

Remember Sony? I wonder if Ubi have opened themselves up to to a similar suit?

You’re completely right. I’ve often heard of aeronautical and military applications requiring even more thoroughly or equally as vetted code – generally, anything that could be considered ‘life-critical’ is a candidate. Of course, the average cost per line of code will go up by a factor of ten or a hundred or a thousand when it is written to such a caliber that it is effectively bug-free, but it does exist.

“And don’t worry about that empty intern position, as we have hired another intern who is being paid at half the salary of the old one. Improving your service AND meeting the bottom line – that’s Ubisoft.”

Stop using Steam guys: Valve has fixed a man-in-the-middle vulnerability in the Windows Steam client, which would have allowed a correctly-positioned attacker to divert and decrypt HTTPS traffic without the victim’s knowledge. This made sensitive payment details, such as PayPal credentials, vulnerable to eavesdropping.link to highseverity.com

Big holes in DRM-systems when it comes to security. Not validating certificates is a huge oversight, but at least Valve fixed it. While taking their sweet-ass time to do so. Again. I am worried that Valve takes “forever” to fix these exploits and notify their users.

Obviously not as bad as the remote code execution exploit that UPlay had, but still.

Note that you’d need to redirect users to a fake site by say hijacking their DNS to exploit this one – pretty hard to exploit. As opposed to simply leaving code on a website waiting for them to stumble across it.

Agreed. However compared to this it is much harder to exploit a man in the middle attack. Especially if you’re not on wireless (ish). On a wired connection getting in between me and my ISP/DNS and/or between them and Steam is difficult. Compared to just slapping a uPlay script out on the open web.

Indeed it is morally dubious, which makes people getting righteous about it particularly funny because this sort of thing happens all the time. The only difference is by on large it get’s passed directly onto the programmers rather than publicly disseminated.

The only way to prevent all MitM attack vectors are to permanently sever your PC from the Internet.

A simple example of a MitM attack would be to go to a place with free WIFI, clog up the router’s IP table so nobody else could connect, then flush everyone and let them reconnect through my computer instead. Which also happens to be their favourite online bank, for some reason.

Not quite as trivial as setting up a website to run malware through your browser plugin though.

This, what the fuck did/do they “need” this for (since it was apparently only installed with uPlay 2.0 a month ago) and what is its use and why didn’t they ask people if they would allow installing it instead of doing it stealthily?

I updated Uplay to 2.04 and the exploit still works. Disable the plugin and the exploit disappears, however Uplay still launches fine as do games launched through it and they maintain their connection to Uplay (I only tested Assassin’s Creed Brotherhood; I can only assume the principle applies to the other affected games).

Why would I possibly ever have this plugin enabled? It doesn’t seem to impact the game experience, so whether Ubisoft ‘need’ it or not, I don’t.

Edit: figured out why the exploit was still working. The update download is for 2.03 not 2.04. On first launch it only shows the changelog up to 2.03, on second launch it patches up to 2.04. At least that’s what I found installing it twice… your mileage may vary.

I’m more old fashioned than most and an apology goes a long way for me.

The lack of one regarding this fiasco is probably more damaging than the situation itself (on a personal level). I will have to take some time thinking about how I approach Ubisoft games in the future, regardless of platform.

On a sidenote, I’d love to hear what developers under the Ubisoft banner think of all this mess, if any dare speak out.

A lot of people got very angry about Lulzsec revealing exploits and such but at least they brought attention to the matter.

Given how unnoticeable a lot of exploits can be it and how expensive competent security is companies simply will not fix these problems until they are forced to. As long as no one notices their customers information and perhaps even their money being stolen they simply don’t care.

The fact that you, personally, clearly have a vested interest in that particular topic (a citizen of that country, perhaps?) does not make it more important than what’s being discussed currently, on a website dedicated to video game news. Context is critical in judging the importance of topics, something people on the internet regularly fail to grasp.

The off topic forum is just that off topic, I just thought it was strange that people are all RAR RAR RAR over this but not one mention in the forum about finfisher which is way bigger and more damaging than this.

It really grinds my gears that World of Cross Stitching Magazine runs so many stories about cross stitching. Why can’t they run a feature about the civil war in Syria?

Post non-gaming stuff in the Other Stuff forum, Psyk. That’s what it’s there for. If and when we launch Rock, Paper, Government Skullduggery please feel free to post about government skullduggery in comments there.

This thread isn’t the off-topic forum. Even if it were, this is a video game website, people aren’t coming here to rage about government spyware. If you want to do that I’d suggest you take it to the ACLU’s website or whatever their international equivalent is.

Berating our other readers for not discussing your topic of choice in a thread about videogames isn’t on, no matter how important that issue may be. Encourage discussion in the right places and in thoughtful ways and you might achieve what you want.

I’ll be wiping this sub-thread if this mad debate continues, as it is not relevant to the topic at hand.

I don’t think it as an intended backdoor. They wanted you to be able to launch your games via browser. However, this is such a huge oversight that someone oughta get slapped for this getting through Q&A.

“A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on”

“back door: an undocumented way to get access to a computer system ”

“A software program that allows access to another software program. Meant as a method for programmers to go back and update programs, backdoors are a security vulnerability because malicious users can exploit them, possibly allowing confidential or personal information to be compromised”

“gets into a user’s computer bypassing its security mechanisms. Sometimes the program can be installed for good purposes (for different kind of troubleshooting). But more frequently it is represented as malware that helps penetrating other malware like worms, Nimda, etc.”

Again, it was an intended backdoor. The intended purpose was for their website to be able to launch programs on your computer. The unintended result was anyone could make your computer do anything from a browser window. But it was still a backdoor even if only Ubi was able to use it to do benign actions.

I’m actually aware of what it is.
I’m used to dealing with people that know nothing about computers and so the simplistic thing is to tell them anything bad is spyware. I forget that people on the internet actually know things.

However, I feel that this is a criminal act that Ubisoft intended. They merely hoped they would not be found.

I looked in Chrome, Firefox and IE, and no trace of the plug-in, and the exploit doesn’t work. I reinstall uplay, try the exploit, and it now works, inspite of it being the updated 2.04 version. SHENANIGANS!!

What has to happen to make people angry enough to stop taking their bullshit? I haven’t bought a Ubisoft game since the first Prince of Persia Trilogy and I don’t plan on it until this madness stops (gotta buy Rayman tho, since is DRM free).

Seriously, wise up people, is not just about their system being abusive and cumbersome, they are just treating you like dogs you need to keep in line instead of customers.

“What has to happen to make people angry enough to stop taking their bullshit?” – People have different levels of tollerance, for me, up to now their aggressive DRM was a major inconvenience, but not enough that I wouldn’t jump through its hoops to play a game that looks good and has had a lot of hard work put into it on behalf of its developers.

But as I said in a previous thread, this was the straw that broke the camels back, the lack of an apology regarding this issue adds insult to injury. I think its safe to say, there are less people willing to put up with their treatment of paying customers today, than yesterday.

Let’s clear something up here: this is not fundamentally a story about DRM, it’s a story about a negligent approach to security and a shocking disregard for customers’ welfare. Yes, the offending plug-in is an element of Ubi’s DRM implementation but its function is not DRM-related and something equally bad could just as easily be included with a DRM-free game.*

Buying Rayman does not send out a message with regard to this behaviour, only one about their use of DRM in general.

*Arguably a company with Ubi’s paranoid approach to piracy might be more likely to intentionally include monitoring tools with their DRM-free releases to try to determine how widely they’re being pirated.

Yep. I hate to do it, I love the Anno games, the Assassin’s Creed games, and I’ve been looking forward to some of their other titles as well, but at this point I think I’m done with them unless/until I see a change in this behavior.

Yeah, I knew that, but I’m struggling to see why UBI would remove uplay just for GOG, and nowhere else.

*checks GOG.*

Ah, I see. There are some (much) older UBI games on there, which presumably will be DRM free – I thought you meant you’d be buying newer games (you know, the ones with the DRM in the first place) from GOG, which you won’t, because there aren’t any. ;)

I’m struggling to think of a scenario where you’d be able to take advantage of forcing it to run a specific something that’s been modified without already having sufficient control over a system to have easier attacks available. If you can replace an application then replace the user’s browser rather than an application called by a plug-in for that browser.

Given the Uplay plugin does not change nor report version numbers (the new one is version 1.0.0.0 as was the old one with the backdoor) it means firefox now simply blacklists and disables the plugin, regardless of whatever patches Ubisoft put out.

The funny thing is that I could have sworn a Firefox “feature” introduced quite some time ago, after the Microsoft .NET helper extension kept getting installed, was supposed to stop other software being able to silently register new plugins and extensions.

Guess that doesn’t work either. (Which is not entirely surprising, since it’s as impossible a problem as DRM with current user-centric security models. If I can write to my Firefox config (say, by running Firefox as me), anything else I run as me can write to my Firefox config.)

(IE9 tries to do this too. Just got the banner at the bottom of a window saying Skype had installed one, and asking if it should be activated or left disabled.)

I feel impotent in this matter. I don’t like the situation we find ourselves in regarding DRM and the potential vulnerabilities it may expose us to like this. Its seems inconsiderate and inconvenient at the very least. I would be lying however if I said that I have not been given many hours of fun thanks to the creative people at Ubisoft and I am not going to start making promises I can’t keep such as vowing never to buy another Ubisoft game.

If anyone does make such a vow here, they know we are not going to be checking up whether they are sticking to it (unless we have a back door to their system.) I know if Watchdogs lives up to the hype I will buy it and I won’t be alone. So what can be done besides constantly making our displeasure known to Ubisoft? I am not trying to say we should just deal with it for the privilege of playing their games. We believe they are doing something wrong and we want the industry to change. I just don’t know how much simply shouting at each other on forums about how much we hate them will achieve.

I vowed not to buy another Ubisoft game when they first announced Uplay… And I stuck with it for a few years too.

But I’ve since amended it to not buying any Ubisoft game that isn’t 100% DRM-free (not even Steam’s rolled-in DRM). I think buying their DRM-free games sends a stronger message than just not buying Ubisoft games at all.

I used to think that way too, but then I bought the supposedly DRM-free From Dust,so now I just don’t trust Ubisoft at all. While some of their games look interesting nothing has struck me as being worth this kind of hassle. I don’t particularly consider this a boycott, though, nor a test of willpower. It’s just that I’m not going to buy a hamburger from someone if I know they’ve wiped their arse with the bun.

On the one hand I really want to support the developers who’ve put so much effort into making great games…but this sort of activity on behalf of the publishers is hurting everyone involved and it really shouldn’t continue.

If you have the strength of will to not buy any of Ubisofts DRM enabled games, you’re doing a great thing. If you buy the games, I’d say vent away, at least let them know you aren’t happy with the situation as it stands, but are ‘at least for now’ willing to put up with them.

One thing I think people must not do, is turn around and pirate the games because of all this mess (this isn’t directed at you, but on comments from previous replies/threads). This will only enforce the publishers to push the DRM further down our collective throats.

Either buy the game and put up with the troubles, don’t buy the game and champion titles that release DRM free, or don’t touch anything with a Ubisoft label on it again, until they clear up their business practice.

Other than that, I think voicing your opinion in a respectable manner is the only thing we can do.

We also have to realise, this isn’t working in favour of the developers in many situations too…I imagine some developers would rather attempt to self fund than team up with Ubisoft in its current form.

Can RPS in good conscience offer any positive coverage or general promotion to Ubisoft games given the shenanigans they’ve been up to?

Sure you can explain away this as a mistake, a massive mistake, but it was a mistake that occurred in a stealth browser plugin. You really do have to wonder what other dangerous and questionable stuff Ubi will pack in with games in the future.

Not requiring a box to tick/un-tick for the plug-in is the bit that bothers me. It’s more convenient for them to have you go find the plug-in and let all the programs be able to execute URL links then be decent to the customer.

I feel more and more worried for the quality of the experience Watch Dogs will offer.

I’m going to bet on it being a brilliant game with horrendous DRM that leaves people arguing over supporting the developers vs penalising the publishers/not having to put up with that crap. (And nobody’s opinion will budge.)

So, have they actually patched the issue or not? Have you actually tested it?
Everyone I keep hearing from “updating” to this new miraculous fixed version apparently says the exploit still works and the Calculator still opens: link to pastehtml.com

That reminds me of the time the iPhone got announced for Verizon, so AT&T sneaked policies onto the store site that required premium costs for terminating your contract and stated the policy was their all along.

Even after someone posted a screen capture from the week before without the policy on the page. I hope Ubisoft doesn’t do that, someone will definitely have a screen cap and burn them on it.

What’s offensive about this story isn’t just a bug, it’s that it’s a bug in a piece of software that has no reason to exist. And Ubisoft’s reaction will be to simply fire some schmuck who was working on it, even though he wasn’t the one who ordered the pointless plug-in to be created.

So Ubi tried to prevent it’s customers from playing their games without being connected to the internet and a way to monitor that they never use pirated versions of their game either, and in doing that they created an even bigger security risk for the same consumers…

It’s like using a grenade launcher to clear out an ant infestation. Stop trying to drag valve into this either, this is Ubisoft here, where Steam is a 3rd party that does allow drm free play, Ubi does not. Ubi is a distributor that created something to protect it’s intellectual property interests, which means they don’t give a damn about you the “user”. This is more in line with what could happen with EA Origin. These companies do not know enough to safeguard their consumers and their very actions leave us vulnerable to external attacks.

Amusing (in a very sad way) to think that the most certain way to have a really nasty virus installed on your computer is to buy computer games legally. If one plays games and buys them legally one will eventually have a virus installed by the big companies.

We have antivirus, no-script and firewalls to protect us against shady chinese websites. We scan for and remove spyware. We try to educate people not to open and click strange attachments in email. But we dont protect ourselves against dangerous DRM.

Maybe there is a market here for a new type of anti-virus program that specifically protects against SONY, Ubisoft and EA?

I legitimately swore off purchasing anything published by EA at the start of the year and now I find myself adding Ubisoft to the list. I’ve honestly never felt so irate at game publishers nor so firm in the conviction to stop buying their products in every medium. The worst part is that I’m a fairly big fan of Assassin’s Creed, but I’d really much rather do without AC3 than put up with more of this crap.

Oh, and I don’t have to put up with Desmond, either. That’s a huge bonus, at least.

Pirates of course being (often? always?) unaffected by this. Maybe we should reclassify crackers to security specialists/computer doctors, given that they remove both classic rootkit like protections(starforce and friends e.g.) and the need for these kind of things as well.

Its almost a shame this got patched so quickly and the security hole possibly closed.

I am starting to think that since normal, rational, logical thinking can’t do it, maybe if people lose their work, letters, music, art, videos, collected links, family fotos and similiar all at once, thanks to a remote “for the lulz” exploit-delete-all, they might begin to understand that supporting companies that “allow you” to pay them for installing intrusive, controlling, restricting DRM/control-software/flat-out-honest-to-god-spy-and-reportingware on your pc isn’t the smartest thing in the world.

TL;DR: Maybe if you lose all your most valuable work and data thanks to financing DRM, that may at least get you over the hump in understanding that its a bad thing to support.

someone here who is technically versatile enough to varify, if there was an issue with usb-ports (under winxp 32bit os), which couldve been the the failures i had with my usb-mouse. since i uninstalled these plugins i havent had any issues with my mouse and they where starting since the time ive installed two ubisoft-games with uplay (and never before). some delays while using firefox happened too which almost all time it happened was leading to a complete loss of usb-mouse connection.